Host containment (also known as quarantine or isolation) blocks incoming/outgoing network traffic except to maintain a connection to the security device console. This allows investigators to continue triaging a device from a security device console while reducing the risks involved with allowing a compromised device continued access to the local network.
Each security device technology handles host containment a bit differently, but usually they:
Block all TCP traffic to any IP/ports.
Block all UDP connections except for those responsible for DNS requests (e.g. UDP/53). DNS/DHCP is generally allowed to ensure the bilateral communication between console and the contained device.
ARP is allowed to ensure MAC addresses can resolve to IP addresses.
ICMP (ping) may be still allowed.
Terminates active sockets.
Some security devices can also allow connections to an approved/allowed IP list.
We rely on customer contexts for setting up remediation settings. You can specify which assets to always deny or always allow based on configured customer contexts.
We automate the remediation action itself and not the decision to remediate. Our analysts are making the call on when and what to remediate, based on the settings you specify. You can also undo any remediation by clicking the Undo button, easily available in Workbench. This gives you control over your environment.